On Sun, 11 Feb 2007 19:58:49 -0800
Grant <[EMAIL PROTECTED]> wrote:
> > > A good rootkit will install a "ps" that won't show the 'bot
> > > processes. The one time a machine of mine got hacked, netstat
> > > still worked, but I don't know why a hacked netstat couldn't be
> > > installed as well.
> >
> > > Looking through /proc/≤pid> is probably still reliable.
> >
> >
> > Hello Grant,
> >
> > I keep an old portable around, running wireshark and a flat hub.
> > You can set your ethernet address to 0.0.0.0 and fire up wireshark.
> >
> > You can then sniff any (ethernet) segment of your network for
> > nefarious traffic or male-configured network applictions.
> >
> > hth,
> >
> > James
>
> I can see in an xfce4 panel plugin that there is constantly a small
> amount of incoming/outgoing traffic to/from the affected system when
> there is no reason I know of for it. netstat doesn't show anything
> that jumps out at me although this is the first time I've really used
> it. All of the current netstat connections appear to be UNIX as
> opposed to Internet. Should I paste them in?
>
> - Grant
> [Error decoding BASE64]
nope, they're all local socket connections. What kind of traffic are
you seeing, i mean how much? Ever heard of tcpdump?
--
gentoo-user@gentoo.org mailing list
